 We're continuing on with cryptocurrency investigation. And last time we talked about blockchain and I specifically said that wallets are a user interface to interact with the ledger system. So today we're going to look at two different types of wallet systems. And the first is an exchange, which is usually a website. Here I'm looking at Coinbase.com, but there's lots of other types of exchanges as well. You can see if I'm trading, I have the option to buy, for example, Bitcoin, Ethereum, Tether, USD Coin, and a lot of other coins. So exchanges tend to use what's called a custodial wallet, where they actually have access to the wallet. And whenever you buy something, actually buy a share of whatever value they're holding. What that lets them do is hold a large amount of money and then say that you own a piece of it and keep accounting that way. That greatly reduces fees because you don't actually have to make transactions on the blockchain every time you're trying to buy a cryptocurrency. You're just keeping it in their own ledger system, which they don't charge you for or don't charge you as much for. Any cryptocurrency that's available, they automatically create a wallet for you. And you can see that I bought Bitcoin, the amount that I bought and the price that it was, and then I also sent Bitcoin. So you can see that there is transactions recorded in the exchange whenever you buy and you send or you sell whatever you're doing there. If I look at the transactions, I can see the date, I can see Bitcoin was sent and the address that Bitcoin was sent to. So I'm specifically looking at Bitcoin here. You saw that there were a lot of different coins. Each coin will have its own ledger system or might be writing on the back of another coin's ledger system. So the tools that you use to analyze each of the ledger systems will be slightly different because they're different networks. So if I want to analyze, for example, the Bitcoin blockchain, I need to join as a node on the Bitcoin blockchain. And then I can download all of those transactions and monitor them as they come in. If I'm looking at something like Ethereum, it's a different network. So I'm going to have to join as a node on that network and then process transactions from that network. If we're just analyzing some simple transactions, then I can use a couple of different free tools online. So for example, Blockchain Explorer from blockchain.com, that's an easy one to use. You just put in the address you want to analyze here. The Blockstream Explorer and the Bitcoin, they explored the tool that they have. You just put in either the hash or the wallet address that you want to analyze, but I'll come back to these. So we were talking about a custodial wallet, which is usually at an exchange or a website that's holding your cryptocurrency for you. But what most people who are really serious about cryptocurrency end up doing is getting a local wallet, either a local wallet on their phone or on their computer. So I'm going to be looking at the Electrum Bitcoin wallet today. You can download this and install it on your local computer. And then that wallet becomes a node in the network, most likely a non-mining node. It can see the transactions and it can also make new transactions on the blockchain. And then this is what it looks like. I have four different wallets open here. Each of those wallets has a Bitcoin address that can send and receive funds in each wallet. So for example, we go to our first wallet. You can see that I have two transactions already made here. I have the option to send or I receive and then I can generate an address. So for example, if I click new address, then I have a new Bitcoin address where I can actually receive funds. And now I can send that address to my colleague. I can request them to send me Bitcoin and then they can send the Bitcoin directly to that address. And it will end up in this individual wallet and not these other wallets. So I can have multiple wallets on my system. Each of those wallets have different Bitcoin addresses associated with them. And that's really important point. I can generate as many Bitcoin addresses as I want for each wallet. So one wallet could have one address, another wallet could have a hundred addresses. And I can just keep generating these addresses as much as I want to make things a little bit more clear. Let's go ahead and create a new wallet so you can see the process. So if I go to file, if I go to new and restore, then I can call the wallet new test wallet, click next. And then I have a couple of different options, either a standard wallet, a wallet with two factor authentication. This uses a two factor authentication service. The wallet can be opened with two keys, the key that we hold and then a key that the two factor authentication service holds. We authenticate with the two factor authentication service and then they use their key to unlock our wallet. We also have a multi signature wallet and this lets multiple people unlock the wallet. So for example, we have here four different keys that are available. Let's say four different people that are coming together and out of those four people, two people need to agree to unlock the funds in that wallet. And then we have import Bitcoin address or private keys. And this is interesting because if we import a Bitcoin address, we don't actually get access to make transactions under that Bitcoin address. We can just monitor it. So it's kind of like read only access to that address. But if we import the private key, now we have the ability to make transactions on the blockchain. Getting those private keys or getting a seed, we'll see in a second, is basically how you're going to seize wallets. So we have a standard wallet, click next. And then I was talking about seeds. So create new seed, I already have a seed, use a master key or use a hardware device. A lot of people are using hardware devices and their wallet is essentially stored off of their computer on that hardware device. Using a master key, whenever you have a wallet, you have a private and public master key. If you input the public key here, you'll get read only access to all of the wallet. If you import the private key, you'll get right access to the ledger system. So basically you'll get full control. If you know the suspect seed value, then that lets you regenerate the private keys. And then you can also take over the wallet that way or you have a new seed. So let's go ahead and click next and create a new seed. The seed looks like several different words put together. We also have options here that lets us extend the seed with custom words. So these words are already known, the library or the dictionary of words that are used are already known. And then they just make them random. But a lot of people also extend the seed with custom words and then you can put in any words you want. So just brute forcing this comes a little bit more difficult, but a lot of people don't do custom seeds. So maybe brute forcing is possible. Click next. And then as for a password, if I put a password in, then I can encrypt the wallet file. I won't encrypt the wallet file for now, but we'll take a look at that in a second. And now I have my new wallet. If I click information, then we can see our master public key, but they can't see my private key. And that's the important part. Whenever we want to seize a wallet, those are three things we really want to look for is the seed value, the master private key, or the Bitcoin address private key. If we get any of those three things that we can get access to make transactions using those keys. So where can you find some of these things? If you're looking at a suspects computer and they already have a wallet installed, you can go into where the wallets are held. So for example, I am in my user directory and then a hidden folder, Electrum, and I do LS. I'm on Linux, but it also works for Windows. The only thing really interesting in this electrum folder is, for example, this config file, possibly recent servers, and then also wallets. So we have, for example, in the config information about wallets and their locations. So that could be interesting. The last wallet that was used information about all of the wallets in the system and their locations. So let's go into wallets. And then you can see that I have my four wallets that were displayed. And then I also have our new test wallet. So let's go ahead and look at the investigation test zero one. So if I do cat investigation test zero one, and then I'm going to pipe that into more. First, we have the address history. And this is basically different addresses that are inside that wallet. Transactions or other information is taken place in voices. Here we have transactions and we also have the local message. This message isn't on the blockchain. It's just locally held address that we've sent some some balance to. And then I believe this is the balance. Next, we have the key store, which has information about our different hashes. The seed for this individual wallet. And you can see that it's in plain text here. We have the private master key here. We have the public master key. If we're able to get this wallet file in plain text, then we're able to see the seed. We're able to see the master private key. We can take over this wallet and then potentially sees all of the cryptocurrency that's available there. Then we also have our payment requests. And this is basically just our transactions that have gone through. That was our investigation test zero one. But most people are going to set a password and use encryption. So whenever you do encrypt your wallets, what it looks like is cat investigation to encrypted. So we get something that looks like this. This is just encrypted text. So most of the time these days, you're going to come across an encrypted wallet because keeping it in plain text is just too dangerous. Just expect that the wallet will be encrypted. There's a couple of different ways to go about the encryption. We already have access to the suspect system. Look for passwords. Look for a password manager around the suspect's device. Look for anything that might look like a seed value. People will definitely want to back up that seed value in case they're losing everything. If we're lucky, the wallet will be unencrypted and then we can just see the seed value. We can see the private key and then we can just seize the entire value of whatever's in that wallet. If the wallet is already open, I can go to, for example, wallet, private keys and then export private keys. It will show me the Bitcoin address plus the private key associated with those wallets. Then I can just click export and then it will export it as a CSV file. I want to try to get that as quickly as possible because those private keys will let me seize that Bitcoin address. So I have my wallet that I want to investigate. We kind of know how the wallets work and how you would seize wallets. Let's go ahead and look at the transactions. So I have a transaction coming in and I have this transaction ID. So I'm going to go ahead and copy that transaction ID. I can see all the Bitcoin addresses that Bitcoin was sent to, including the address that we're currently investigating. I can take this transaction ID, go to the Blockstream Explorer and then just type in the transaction ID. So I can use transaction ID, I can use the hash, I can use the Bitcoin address. So I have the Bitcoin address that the money was sent from and then I have all of the addresses that it was sent to. So on the left-hand side is where it's coming from. On the right-hand side are all of the addresses that it's sent to. So if we go all the way to the bottom, number 63 is actually the address that we're interested in. Is everything else related to this address? No. So we sent the money, for example, from Coinbase. It will take all of the transactions that were requested on Coinbase from all of the different users at that time. It will group them together and then send them all as one transaction on the blockchain. All of these other addresses are probably unrelated to us. We're not interested in them. If we go up and we see where the money was sent from, this is the address that it was sent from. And we have our address that we're looking at, number 63 here. If we click on it, we can see that there are two transactions. This is where we received the money that was from Coinbase. So that's our Coinbase address sent to four different Bitcoin addresses. Each of these wallets, if I click on one of the wallets, then I only have one transaction coming in. But from this wallet, we can see where the money came from. Coinbase, we can see where the money went. Four other Bitcoin addresses that could be in either four wallets or one wallet or two wallets or three wallets. We don't know. What does that actually look like whenever I'm looking at the wallets? The wallet with the transactions. So the first transaction coming in, and this is the money coming in from Coinbase. And then we have the wallets, transactions going out. We have the four Bitcoin addresses that it went out to. And I can see, for example, that we have one transaction to each of these addresses. So from a forensics perspective, the first thing you do is find out what addresses are actually associated with that suspect. Find all the transactions with those addresses. And then take those transactions and then use that in your interrogation to find out who it's associated with. If you're doing big cases of money laundering, just using something like blockchain.com is not going to be powerful enough. You saw that we only had three or four transactions and it already started to get a little bit complicated and confusing because there's so much information. Instead, you can either get access to the blockchain yourself and then write statistic software that will analyze whatever it is you're trying to analyze. Or you can use commercial products like Chainalysis to do these bigger investigations. So in later videos, we will talk about more complicated technical analysis of a blockchain. But from this video, you should at least have a basic understanding of how to seize a wallet using the seed master private key or a Bitcoin address private key. You should also have an idea of how to get at least basic transaction information, if not from the wallet directly from a website like blockchain.com. So as a practice, I'm going to hide some wallet IDs around and I want you to try to seize the Bitcoin inside those wallets. So that should get you started. Next week, we'll talk about more technical analysis of ledger systems. Thank you very much.